Edit

Share via


Troubleshoot common Bring Your Own Key (BYOK) issues

This article discusses troubleshooting methods for the most common Bring Your Own Key (BYOK) issues on Microsoft Azure Kubernetes Service (AKS).

Prerequisites

Troubleshooting checklist

Step 1: Register a preview feature to enable BYOK on an ephemeral OS disk

To register the preview feature that enables BYOK on an ephemeral operating system (OS) disk (Microsoft.ContainerService/EnableBYOKOnEphemeralOSDiskPreview), run the az feature register and az feature show commands. For instructions, see Register customer-managed key (preview) feature.

Step 2: Create a cluster that uses BYOK on an ephemeral OS disk

To create an AKS cluster that uses BYOK on an ephemeral OS disk, run the az aks create command. For instructions, see Create a new AKS cluster and encrypt the OS disk.

Note

If you don't specify the --node-osdisk-type parameter in the az aks create command, the default OS disk type for the node is Ephemeral only if the current virtual machine (VM) size supports ephemeral OS disks. For more information, see Ephemeral OS disks for Azure VMs.

Cause 1: Can't enable purge protection in the key vault

If you receive a CreateVMSSAgentPoolFailed error code and a KeyVaultNotPurgeProtectionEnabled error subcode, the creation of an agent pool for a virtual machine scale set failed because you didn't enable purge protection when you created the key vault.

Solution 1: Enable purge protection when you create the key vault

Run the az keyvault create command again, and specify a value of true for the --enable-purge-protection parameter. For instructions, see Create an Azure Key Vault instance.

Cause 2: Key vault and disk are in different regions when agent pool creation fails for a virtual machine scale set

If you receive a CreateVMSSAgentPoolFailed error code and a KeyVaultAndDiskInDifferentRegions error subcode, the key vault and the disk encryption set are located in different regions. The key vault and disk encryption set must be in the same region.

Solution 2: Use the same region as for the disk when you create the key vault

Run the az keyvault create command again, and make sure that the value that you specify in the --location parameter is the same region that you used for the disk encryption set. For instructions, see Create an Azure Key Vault instance.

Cause 3: Disk encryption set isn't granted

If you delete the disk encryption set permission for the key vault, the AKS cluster node won't run. In this situation, you receive the following error message in the disk encryption set page of the Azure portal:

To associate a disk, image, or snapshot with this disk encryption set, you must grant permissions to the key vault.

Solution 3: Update the security policy settings

Update the security policy settings again by running the az keyvault set-policy command. For instructions, see Grant the DiskEncryptionSet access to key vault.

Reference

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.